LightBasin Hacking Group Switches Focus From Windows To Linux To Target Telecom Sector

The threat actors identified as LightBasin have been targeting the telecom sector for several years. Yet, they managed to stay under the radar until recently. The researchers observed the threat actors specifically attack Linux systems for the malicious campaign.

LightBasin Hacker Group Targeting Telecom For Years

Researchers from CrowdStrike have found a specific threat actor group waging malicious campaigns against the telecommunication industry. Identified as “LightBasin”, the activity cluster UNC1945 has been targeting the telecom sector since at least 2016.

As observed, the hackers typically target Linux and Solaris servers, targeting Windows systems only when required. This platform-based emphasis depicts the threat actors’ particularity towards the telecom sector that predominantly relies on those operating systems.

LightBasin caught the researchers’ attention during a recent attack on a telecommunication firm that involved external DNS (eDNS) servers. These eDNS servers constituted a part of the GPRS network and manage roaming between different mobile operators.

The researchers noted the LightBasin managed to spread the infection via compromised eDNS servers from one telecom company to another via SSH. Since 2019, the hackers have compromised at least 13 different telecommunication companies globally.

During these attackers, the attackers managed to sneakily pilfer sensitive data from the firms, including subscribers’ details and call metadata.

Currently, it remains unclear where the threat actors belong to. Nonetheless, the researchers suspect that more such attacks will happen in the future. As stated in their post,

LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.

However, what presently seems is that the hackers might have been executing these attacks for “intelligence” purposes.

The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.

Suggested Security Measures

Since the primary threat of LightBasin dissemination arises from eDNS server communications, the researchers recommend the telecom firms restrict network protocols via firewalls rules for the GPRS network.

Besides, they advise all firms to conduct a thorough assessment of their systems to detect any compromised systems. Also, the companies should take measures to strengthen the security of their core Unix systems to prevent LightBasin and similar threats.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients